ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

Time needed: 1 day

How to comply with ISO 27001 Clause 7.5.2 Guide to Creating and Updating Documented Information

1. Choose your document format

   The simplest format for creating your documents is going to be Microsoft Office. It provides the most flexibility and the most options for exporting in different formats such as PDF. You can use any format you like, for example Google Docs, but decide up front what format your documents will be in.

2. Build document templates

   You will require document templates for each document type that you will create. This is typically Word processing, Spreadsheets, Presentations, Diagrams. We recommend creating a Microsoft Word template, a Microsoft Excel Template and a Microsoft Powerpoint template. Optionally considering buying the ISO 27001 Toolkit that includes all the documents that you need that fully this requirement for document mark up. If you create your own ISO 27001 document templates then the ISO 27001 document templates should include the following steps.

3. Add a title place holder

   Every document requires a title so provide a place holder in your template for the document title.

4. Add a date place holder

   Every document requires a date so provide a place holder for the date the document was last amended in your document template.

5. Add an author place holder

   Every document requires an author so provide a place holder for the author of the document in your ISO 27001 document template.

6. Optionally add a reference number place holder

   Reference numbers are not required and are optional. If they make sense for you provide a place holder for the reference number of the document.

7. Add a version control table

   Version control is very important in a document to show the history of that document. Include a version control table in your document template that has columns for the date of the change, how made the change, what change they made and the version number of the document. Include rows in the template as place holders that can be completed.

8. Add a last reviewed date place holder

   The date of last review may be the date the document was last updated or it may not. A document may not need to be reviewed every-time it is up dated. Be sure to provide a place holder in your ISO 27001 document template for the date the document was last formally reviewed. It is good practice to provide evidence of the review and the easiest way to do this is have the document reviewed and signed off at the management review team meeting and then minuted in the meeting minutes.

9. Add a document confidentiality level place holder

   The classification of documents is very important and covered under other clauses within the standard but now is a good time to provide a place holder for the document classification. This will be used to apply the appropriate level of controls to the document.

10. Use the ISO 27001 document templates to create your actual documents

    Use the templates that you have created as a baseline to create your information security management system documents, policies and records of evidence. It is best practice to apply this mark up to all the documents that will be covered by the scope of your ISO 27001 certification. The auditor will check.

11. Before you get audited

    Check, double check and recheck your documentation before you get audited. The documentation is the primary thing that you will be audited on. Make sure all your version controls are up to date, documents are clean of comments and review mark up, that they have appropriate approvals, appropriate document markup. Ensure that the version control has been touched at least once in the last 12 months before the audit happens.